How To Install VBoxAdditions using Commandline In Ubuntu 16.04.2

I ran into a problem installing the Additions Package without a GUI so thought I’d pop the resolution on here. I was using the Virtualbox interfeace to insert the CD image and trying to install from there but kept getting this error “vboxadd-service…. failed!”

This is usually due to Linux Headers being missing so I ran the following

sudo apt-get install linux-headers-$(uname -r)

This told me my headers were up to date, but the Guest Additions still wouldn’t install.

I thought I try a different route.

First I updated

sudo apt-get update

I downloaded the ISO with the following.

sudo apt-get install virtualbox-guest-additions-iso

Then we need to browse to the downloaded location which by default is

cd /usr/share/virtualbox/

It showed that there were some required packages so I installed those next.

sudo apt-get install dkms dcc

Once that confirmed that it had installed without errors, we then mount the downloaded ISO

sudo mount -o loop VBoxGuestAdditions.iso /mnt

Then go to the mounted location

cd /mnt

Then install

sudo ./VBoxLinuxAdditions.run

This time hey presto! All installed.

 

 

 

Protect WordPress Login page and admin panel

If you run a WordPress site and have any knid of network monitoring you’ll see endless brute force attempts on your login page.

A strong password will only do so much, so really you want the login page to only be available to legitimate IP adresses.

This is easy to achieve and offers great protection as if someone requests the login page but they are not connecting from a listed IP the page will not show.

First we need to go to our active config file. On LEMP running wordpress we go to.

sudo nano /etc/nginx/sites-enabled/wordpress

Then we add the following to our server block in its own location container. (Replace 11.11.11.111 with your own IP)

location ~ ^/(wp-admin|wp-login.php){

allow 11.11.11.111;

deny all;}

And that’s it. You can access your login page and admin panel, but it’s not vailable to the rest of the internet. If your site is not using https then you should seriously consider setting up a VPN to login and administer your site.

 

 

Custom HTTP Headers (nginx, WordPress)

If you have a website and you are not implementing some custom headers you may want to look into it. These are not set by default and can help in protecting your site from all types of attacks.

To start with go to https://securityheaders.io/ and scan your site. If you have none of these headers implemented your site will score very poorly. Don’t forget with these headers we aren’y only protecting our site, but also our site visitors as well.

The ones we are going to look at are for protecting against Cross-Site-Scripting, malicious content, drive-by downloads, and stop your site being viewed in an iframe.  We will also stop the site advertising Server and software details, for example the Server build, and php version. The reason for this is not covered here but if you are intersted you can go here and read this brilliant  article by @Scott_Helme.

For today we will be concetrating on WordPress installed on LEMP stack. Firstly we need to backup our config, and then go to our active config file. (yours may be different depending on your setup). Also note that the Strict Transport Security header is for https sites only.

sudo nano /etc/nginx/sites-enabled/wordpress

Then in our http server block we add the following. ( if using https on your site then put the headers in both blocks.

add_header X-Frame-Options "SAMEORIGIN";

add_header Content-Security-Policy "default-src yoursite.com";

add_header X-Xss-Protection "1; mode=block";

add_header X-Content-Type-Options "nosniff";

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

server_tokens off;

You can see the layout in the screenshot.

We save the changes then run the following to test for typo’s.

sudo nginx -t

Then

sudo service nginx restart

Finally we go change a setting in the php.ini file for our version to disable version broadcast.

sudo nano /etc/php5/fpm/php.ini

We need to change

expose_php = on

To

expose_php = off

Save and close the file and restart php

sudo service php5-fpm restart

To check all this is working correctly go back to Security Headers and check your site again. Your sites rating should be significantly better.

Security Onion

I’ve been meaning to try this out for a while but I get carried away with Red Team fun that I neglect my Blue Team skills! I heard alot about about Security Onion so I  set about setting up a server.

To get full functionality out of it you will need to setup a mirrored port on your switch or router to ensure you are seeing all the network traffic, but that won’t be covered here. The Security Onion Machine needs 2 adapters, one for remote connection to administer it and also to enable you to download updates frommthe internet etc, and the second is the monitoring adapter which connects to your mirrored port.

Initially I wanted to run Security Onion in HyperV however after hours of banging my head against a brick wall I gave up and installed on a physical machine.

The main issue is the way that HyperV uses it’s virtual switches in 2008R2 it seems impossible to be able to run one in full promiscuous mode. I tried numerous powershell scripts but when checking Wireshark there was still traffic missing. Virtualbox allows a real bridged connection to a NIC and is simple to configure for network monitoring, the fact the fact you can’t do this in HyperV infuriates me! If anyone knows how to do it please let me know, but in the end I got bored fighting HyperV and installed on a physical machine.

The official guide is here:

I use Ubuntu quite a bit so wanted to install the Security Onion tools on one of my templated server images rather than download the ISO.

On an Ubuntu Server we Clear the apt repository, and then update:

sudo rm -rf /var/lib/apt/lists/*
sudo apt-get update

Then we add the stable repos, (Also found here) and update again.

sudo apt-get -y install software-properties-common
sudo add-apt-repository -y ppa:securityonion/stable
sudo apt-get update

You then need to configure MySql to NOT prompt for root password.

echo "debconf debconf/frontend select noninteractive" | sudo debconf-set-selections

Now we can use apt to install the Security Onion Package.

sudo apt-get -y install securityonion-all syslog-ng-core

Before running setup we should have both network adapters connected.

Run setup for the first time

sudo sosetup

Follow the prompts and make sure you choose the correct interface when asked which one will be monitored.

Now restart

Before completing setup we need to check we are seeing all trafiic, fire up wireshark

sudo wireshark

Run a simple test like sending pings between machines on your network and make sure you acn see them in Wireshark, if all good then we can continue.

Now if you haven’t already got one go to snort.org and get an ‘oinkcode’

sudo sosetup

This time we can skip network configuration and select:

  1. Production Mode
  2. Standalone
  3. Custom
  4. Create a username and password
  5. Retain Logs ’30’
  6. Re-run database repair ‘7’
  7. IDS engine ‘Suricata’
  8. Select ‘Snort VRT Ruleset and Emerging Threats NoGPL Ruleset’ then paste in your oinkcode.
  9. PF_RING_slots ‘65534’
  10. Make sure the correct interface is selected for monitoring
  11. Enable the IDS engine ‘yes’
  12. If you are only monitoring one interface select ‘2’
  13. Add your internal network IP range/s
  14. Enable Bro ‘yes’
  15. Enable exe extraction ‘no’ (If you want to do this you can, I will test this further before implementing)
  16. Enable http_agent ‘no’ (As we will be using Bro’s http.log via ELSA)
  17. Disable Argus
  18. Disable Prads
  19. Enable full packet capture ‘yes’
  20. Pcap file size ‘150’
  21. PF_RING buffer size ‘512’
  22. The log purge threshold hold will purge your logs once this threshold is reached, so you need to choose this based on how long you want to retain logs for and how much storage you have available. I went with the default 90%.
  23. Enable ELSA ‘yes’
  24. ELSA storage, I left at default.
  25. Confirm your changes.

BOOM! after another restart you will be up and running, use the new shortcuts on the desktop to login to ELSA, Sqert, and sguil and be prepared to be scared shitless by what you find!

If you want to enable remote access you need to run

sudo so-allow

This will run a script to help you setup remote access to the Security Server if you so wish.

You can also download and install OSSEC if you wish from here:

Check out the installation requirements for system. In my case I needed to run:

apt-get install build-essential

Then download the latest tar from the ossec github

Then to extract the tar.gz

tar -zxvf ossec-hids-*.tar.gz

Then go to the directory you unzipped it to. Im my case

cd Downloads/ossec-hids-*.tar.gz

Then run the install

sudo ./install.sh

If you receive no errors then to start OSSEC run

sudo /var/ossec/bin/ossec-control start

Now start digging into all the flags on your network and look at how you can resolve them! I’ll be blogging my findings in the coming weeks. It’s scary shit if you have something important your trying to protect rather than just a witty Cyber-blog! Good luck, you’re gonna need it.

Exchange 2016. New Install Issues.

Recently I did a test install of Exchange 2016 and ran into a few problems which drove me mad for a while as the issues and symptoms did not give any clue as to how they were eventually resolved!

I did a fresh install on a stand alone Hyper-V Virtual Server with 4000 GB of static RAM, 4 processor cores and a 40GB VHD.

Microsoft recommends a minimum of 8GB for mailbox role, (see here) but I couldn’t believe it would actually need this much on a test Server, and I’ve always used way less than the recommended for initial test installs as they will be under no stress at all.

The install seemed to go fine, all the prerequestites were installed by the downloaded media, and the server restarted. On trying the open the webpanel I was continually told that there was a memory error, and to try again later. I ramped up the RAM 1GB at a time but I couldn’t login to the panel until the Server had the full 8GB assigned.

After creating my first test mailbox whenever I tried to send an email I received the below error:

“You don’t have permission”? WTF after going round and round in circles looking at users permissions believing that I needed to assign user permissions I found an obscure forum post which pointed me in the right direction. The solution was to remove the secondary DNS entry from the Exchange Servers network adapter! After removing this and then restarting the server the error disappeared.

I was now able to login and send emails internally and externally, however I was not able to receive emails either internal or external. I wasn’t getting any bouncebacks which could have given me some information on what was going on, I double checked my external DNS and MX records but all were correct.

In the end I used the Microsoft Connectivity Tool and this pointed out my issue immediately, and the issue was disk space. Even though the Exchange server had only 1 mailbox and nothing else installed, 40GB wasn’t enough! I checked disk space and there was plenty of room, but after digging a bit deeper it turns out that Exchange needs a percentage of free disk space and so the VHD had to be expanded. Once this was increased I finally had a working Exchange Server. Hope this helps out someone else as this drove me crazy for a few hours and the errors were not pointing me in the right direction.

 

Eternal Blue Scan and Exploit Demo

It’s everywhere at the moment. ms17_010 or Eternal Blue as it’s affectionately known. It’s another great example of why it’s so important to not only keep your Anti Virus solution up to date, but also to install the latest patches for your OS.  This exploit requires just 2 things. That the port is open and that the required patch is not installed. In this demonstration we are attacking Windows Server 2008, setup using the Metasploitable 3 script from this project https://github.com/rapid7/metasploitable3

You can see that both the scanner and the exploit are built right into Metasploit and they are very easy to use. Patch your machines, Even if you think you can’t set up a test environment and try. Make good backups, and check that they work. Enjoy the video.

If you wanna setup Metasploitable 3 you need to do a bit of legwork, it doesn’t just work out of the box like it’s predecessor, and you need to install some prerequisites. The guides I used are here http://www.prodefence.org/2017/06/setup-metasploitable-3-windows-10/ and here  https://www.youtube.com/watch?v=i_K2cZcTXeI&t=580s